Ch9 Access Control Lists - Practical Flashcards
Standard ACL Number Ranges
1 to 99, 1300, and 1999
Extended ACL Number Ranges
100 to 199 and 2000 to 2699
Calculating Wildcard Mask
Subtract specific network’s subnet mask from 255.255.255.255.
Command to Configure IPv4 Standard ACL
access-list access_list_number { deny | permit | remark } source_ip [source_wildcard] [log]
Command that displays lists/contents of access lists.
show access-list
Command to Attach ACL to an Interface
ip access-group {acl_number | acl_name} {in | out}
Configuring Numbered Standard IPv4 ACL (3)
- access-list acl_number {deny | permit | remark } source source_ip [source_wildcard] [log] // repeat to create multiple entries which are numbered automatically.
- interface interface_id
- ip access-group acl_number { in | out } // applies ACL to interface
Configuring Named Standard IPv4 ACL (5)
- ip access-list standard acl_name
- {deny | permit | remark } source_ip [source_wildcard] [log] to create entries.
- Exit ACL Config Mode
- interface interface_id
- ip access-group acl_name {in | out } // applies ACL to interface.
Editing ACLs with Text Editor (3)
- use show running-config | include access-list acl_number | acl_name to display lists.
- Copy acl section into text editor.
- Make changes to ACL and then paste back into router terminal.
Editing ACLs with Sequence Number (4)
- use show access-lists { acl_number | acl_name } to display current ACE’s within the designated ACL.
- use ip access-list {standard | extended } {acl_number | acl_name } to enter ACL config mode.
- Delete old ACE by using no acl_number
- Edit by using : acl_sequence_number modified_ACE
ex: 10 deny host 192.168.10.10
3 Methods to Verify ACLs
- show access-lists [acl_name | acl_number]
- show ip interface interface_id
- show running-config | include access-list [acl_name | acl_number]
How to Determine if an ACL is Working Properly.
show access lists : will display matches to permit or deny entries as the ACL is used.
Command used to clear the match counters in an access list.
clear access-list counters [acl_number | acl_name]
Using ACL to Control VTY Access
- line vty vty_range
- ip access-class acl_number {in [vrf-also] | out}
- exit
- access-list acl_number {permit | deny | remark } source_ip [source_wildcard] [log]
- access-list acl_number deny any
Logical Operators That Can Be Used in Extended ACLs (4)
- eq (equal)
- neq (not equal)
- gt (greater than)
- lt (less than)